Microsoft Security Operations Analyst — Question 77

You have a Microsoft 365 subscription. The subscription contains 500 devices that are onboarded to Microsoft Defender for Endpoint.

You have an Azure subscription that contains a Microsoft Sentinel workspace.

You need to run a pilot on 50 devices that will remediate threats automatically. The solution must meet the following requirements:

• Minimize the impact on devices that are excluded from the pilot.
• Minimize administrative effort.

What should you configure first?

Answer options

• A. a playbook
• B. an endpoint security policy
• C. a device group
• D. an automation rule

Correct answer: C

Explanation

The correct answer is C, as creating a device group allows you to specifically target the 50 devices for the pilot, ensuring minimal impact on those not included. The other options, such as playbooks or automation rules, are secondary actions that rely on having a defined group of devices to operate on and would not directly address the initial requirement.